{ config, flake, ... }:
let
  inherit (flake.config.services.instances) wireGuard;
  inherit (flake.config.machines.devices) deimos;
  service = wireGuard;
in
{
  networking = {
    wireguard.interfaces = {
      wg0 = {
        ips = [ "${deimos.wireguard.ip0}/32" ];
        privateKeyFile = config.sops.secrets."${service.name}-deimos-private".path;
      };
    };
  };

  sops =
    let
      sopsPath = secret: {
        path = "${service.sops.path0}/${service.name}-${secret}-pass";
        owner = "root";
        mode = "600";
      };
    in
    {
      secrets = builtins.listToAttrs (
        map
          (secret: {
            name = "${service.name}-${secret}";
            value = sopsPath secret;
          })
          [
            "deimos-private"
            "deimos-public"
          ]
      );
    };
}